X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FActivator.java;h=6d50f3dabed2f2c1de6b758c6fb35080a37a7f4c;hb=52a45835da8cd816ac2e2b22ee9b84101fe8fb06;hp=03cbbd90df2473c0bbc74848364a2c9d7fb1bec9;hpb=ba8f8a6fb8ad9649dd03b2ac4670d194f0e1be79;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java index 03cbbd90d..6d50f3dab 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java @@ -2,173 +2,276 @@ package org.argeo.cms.internal.kernel; import java.io.IOException; import java.net.URL; +import java.security.AllPermission; import java.util.Dictionary; -import java.util.Hashtable; import java.util.List; import java.util.Locale; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; + +import javax.security.auth.login.Configuration; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.argeo.cms.CmsException; -import org.argeo.node.ArgeoLogger; -import org.argeo.node.NodeConstants; -import org.argeo.node.NodeState; -import org.argeo.node.RepoConf; -import org.argeo.util.LangUtils; +import org.argeo.api.ArgeoLogger; +import org.argeo.api.NodeConstants; +import org.argeo.api.NodeDeployment; +import org.argeo.api.NodeInstance; +import org.argeo.api.NodeState; +import org.argeo.ident.IdentClient; +import org.ietf.jgss.GSSCredential; +import org.osgi.framework.Bundle; import org.osgi.framework.BundleActivator; import org.osgi.framework.BundleContext; import org.osgi.framework.Constants; -import org.osgi.framework.ServiceReference; -import org.osgi.service.cm.Configuration; -import org.osgi.service.cm.ConfigurationAdmin; -import org.osgi.service.cm.ManagedService; +import org.osgi.framework.FrameworkUtil; +import org.osgi.service.condpermadmin.BundleLocationCondition; +import org.osgi.service.condpermadmin.ConditionInfo; import org.osgi.service.condpermadmin.ConditionalPermissionAdmin; +import org.osgi.service.condpermadmin.ConditionalPermissionInfo; +import org.osgi.service.condpermadmin.ConditionalPermissionUpdate; import org.osgi.service.log.LogReaderService; +import org.osgi.service.permissionadmin.PermissionInfo; +import org.osgi.service.useradmin.UserAdmin; +import org.osgi.util.tracker.ServiceTracker; /** - * Activates the {@link Kernel} from the provided {@link BundleContext}. Gives - * access to kernel information for the rest of the bundle (and only it) + * Activates the kernel. Gives access to kernel information for the rest of the + * bundle (and only it) */ public class Activator implements BundleActivator { - // public final static String SYSTEM_KEY_PROPERTY = - // "argeo.security.systemKey"; - private final Log log = LogFactory.getLog(Activator.class); - - // private final static String systemKey; - // static { - // System.setProperty(SYSTEM_KEY_PROPERTY, systemKey); - // } + private final static Log log = LogFactory.getLog(Activator.class); - // private static Kernel kernel; private static Activator instance; - private BundleContext bc; - private ConditionalPermissionAdmin permissionAdmin; + // TODO make it configurable + private boolean hardened = false; + + private static BundleContext bundleContext; + private LogReaderService logReaderService; - private ConfigurationAdmin configurationAdmin; private NodeLogger logger; private CmsState nodeState; + private CmsDeployment nodeDeployment; + private CmsInstance nodeInstance; - @Override - public void start(BundleContext bundleContext) throws Exception { - // try { - // kernel = new Kernel(); - // kernel.init(); - // } catch (Exception e) { - // log.error("Cannot boot kernel", e); - // } + private ServiceTracker userAdminSt; + private ExecutorService internalExecutorService; + static { + Bundle bundle = FrameworkUtil.getBundle(Activator.class); + if (bundle != null) { + bundleContext = bundle.getBundleContext(); + } + } + + void init() { + Runtime.getRuntime().addShutdownHook(new CmsShutdown()); instance = this; - this.bc = bundleContext; - this.permissionAdmin = getService(ConditionalPermissionAdmin.class); - this.logReaderService = getService(LogReaderService.class); - this.configurationAdmin = getService(ConfigurationAdmin.class); +// this.bc = bundleContext; + if (bundleContext != null) + this.logReaderService = getService(LogReaderService.class); + this.internalExecutorService = Executors.newFixedThreadPool(Runtime.getRuntime().availableProcessors()); + + try { + initSecurity(); + initArgeoLogger(); + initNode(); + + if (log.isTraceEnabled()) + log.trace("Kernel bundle started"); + } catch (Throwable e) { + log.error("## FATAL: CMS activator failed", e); + } + } - initSecurity();// must be first - initArgeoLogger(); - initNodeState(); + void destroy() { + try { + if (nodeInstance != null) + nodeInstance.shutdown(); + if (nodeDeployment != null) + nodeDeployment.shutdown(); + if (nodeState != null) + nodeState.shutdown(); + + if (userAdminSt != null) + userAdminSt.close(); + + internalExecutorService.shutdown(); + instance = null; + bundleContext = null; + this.logReaderService = null; + // this.configurationAdmin = null; + } catch (Exception e) { + log.error("CMS activator shutdown failed", e); + } } private void initSecurity() { - URL url = getClass().getClassLoader().getResource(KernelConstants.JAAS_CONFIG); - System.setProperty("java.security.auth.login.config", url.toExternalForm()); + if (System.getProperty(KernelConstants.JAAS_CONFIG_PROP) == null) { + String jaasConfig = KernelConstants.JAAS_CONFIG; + URL url = getClass().getResource(jaasConfig); + // System.setProperty(KernelConstants.JAAS_CONFIG_PROP, + // url.toExternalForm()); + KernelUtils.setJaasConfiguration(url); + } + // explicitly load JAAS configuration + Configuration.getConfiguration(); + + // code-level permissions + String osgiSecurity = KernelUtils.getFrameworkProp(Constants.FRAMEWORK_SECURITY); + if (osgiSecurity != null && Constants.FRAMEWORK_SECURITY_OSGI.equals(osgiSecurity)) { + // TODO rather use a tracker? + ConditionalPermissionAdmin permissionAdmin = bundleContext + .getService(bundleContext.getServiceReference(ConditionalPermissionAdmin.class)); + if (!hardened) { + // All permissions to all bundles + ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate(); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { + new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) }, + new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) }, + ConditionalPermissionInfo.ALLOW)); + // TODO data admin permission +// PermissionInfo dataAdminPerm = new PermissionInfo(AuthPermission.class.getName(), +// "createLoginContext." + NodeConstants.LOGIN_CONTEXT_DATA_ADMIN, null); +// update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { +// new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) }, +// new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.DENY)); +// update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { +// new ConditionInfo(BundleSignerCondition.class.getName(), new String[] { "CN=\"Eclipse.org Foundation, Inc.\", OU=IT, O=\"Eclipse.org Foundation, Inc.\", L=Nepean, ST=Ontario, C=CA" }) }, +// new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.ALLOW)); + update.commit(); + } else { + SecurityProfile securityProfile = new SecurityProfile() { + }; + securityProfile.applySystemPermissions(permissionAdmin); + } + } + } private void initArgeoLogger() { logger = new NodeLogger(logReaderService); - - // register - bc.registerService(ArgeoLogger.class, logger, null); + if (bundleContext != null) + bundleContext.registerService(ArgeoLogger.class, logger, null); } - private void initNodeState() throws IOException { + private void initNode() throws IOException { + // Node state nodeState = new CmsState(); + registerService(NodeState.class, nodeState, null); + + // Node deployment + nodeDeployment = new CmsDeployment(); + registerService(NodeDeployment.class, nodeDeployment, null); + + // Node instance + nodeInstance = new CmsInstance(); + registerService(NodeInstance.class, nodeInstance, null); + } + + public static void registerService(Class clss, T service, Dictionary properties) { + if (bundleContext != null) { + bundleContext.registerService(clss, service, properties); + } + + } - Object cn; - Configuration nodeConf = configurationAdmin.getConfiguration(NodeConstants.NODE_STATE_PID); - Dictionary props = nodeConf.getProperties(); - if (props == null) { - if (log.isDebugEnabled()) - log.debug("Clean node state"); - Dictionary envProps = getStatePropertiesFromEnvironment(); - // Use the UUID of the first framework run as state UUID - cn = bc.getProperty(Constants.FRAMEWORK_UUID); - envProps.put(NodeConstants.CN, cn); - nodeConf.update(envProps); + public static T getService(Class clss) { + if (bundleContext != null) { + return bundleContext.getService(bundleContext.getServiceReference(clss)); } else { - // Check if state is in line with environment - Dictionary envProps = getStatePropertiesFromEnvironment(); - for (String key : LangUtils.keys(envProps)) { - Object envValue = envProps.get(key); - Object storedValue = props.get(key); - if (storedValue == null) - throw new CmsException("No state value for env " + key + "=" + envValue - + ", please clean the OSGi configuration."); - if (!storedValue.equals(envValue)) - throw new CmsException("State value for " + key + "=" + storedValue - + " is different from env value =" + envValue + ", please clean the OSGi configuration."); - } - cn = props.get(NodeConstants.CN); - if (cn == null) - throw new CmsException("No state UUID available"); + return null; } + } - Dictionary regProps = LangUtils.init(Constants.SERVICE_PID, NodeConstants.NODE_STATE_PID); - regProps.put(NodeConstants.CN, cn); - bc.registerService(LangUtils.names(NodeState.class, ManagedService.class), nodeState, regProps); + /* + * OSGi + */ + @Override + public void start(BundleContext bc) throws Exception { + if (!bc.getBundle().equals(bundleContext.getBundle())) + throw new IllegalStateException( + "Bundle " + bc.getBundle() + " is not consistent with " + bundleContext.getBundle()); + init(); + userAdminSt = new ServiceTracker<>(bundleContext, UserAdmin.class, null); + userAdminSt.open(); } @Override - public void stop(BundleContext bundleContext) throws Exception { - nodeState.shutdown(); + public void stop(BundleContext bc) throws Exception { + if (!bc.getBundle().equals(bundleContext.getBundle())) + throw new IllegalStateException( + "Bundle " + bc.getBundle() + " is not consistent with " + bundleContext.getBundle()); + destroy(); + } - instance = null; - this.bc = null; - this.permissionAdmin = null; - this.logReaderService = null; - this.configurationAdmin = null; +// private T getService(Class clazz) { +// ServiceReference sr = bundleContext.getServiceReference(clazz); +// if (sr == null) +// throw new IllegalStateException("No service available for " + clazz); +// return bundleContext.getService(sr); +// } - // if (kernel != null) { - // kernel.destroy(); - // kernel = null; - // } + public static NodeState getNodeState() { + return instance.nodeState; + } + public static GSSCredential getAcceptorCredentials() { + return getNodeUserAdmin().getAcceptorCredentials(); } - private T getService(Class clazz) { - ServiceReference sr = bc.getServiceReference(clazz); - if (sr == null) - throw new CmsException("No service available for " + clazz); - return bc.getService(sr); + @Deprecated + public static boolean isSingleUser() { + return getNodeUserAdmin().isSingleUser(); } - protected Dictionary getStatePropertiesFromEnvironment() { - Hashtable props = new Hashtable<>(); - // i18n - copyFrameworkProp(NodeConstants.I18N_DEFAULT_LOCALE, props); - copyFrameworkProp(NodeConstants.I18N_LOCALES, props); - // user admin - copyFrameworkProp(NodeConstants.ROLES_URI, props); - copyFrameworkProp(NodeConstants.USERADMIN_URIS, props); - // data - for (RepoConf repoConf : RepoConf.values()) - copyFrameworkProp(NodeConstants.NODE_REPO_PROP_PREFIX + repoConf.name(), props); - // TODO add other environment sources - return props; + public static UserAdmin getUserAdmin() { + return (UserAdmin) getNodeUserAdmin(); } - private void copyFrameworkProp(String key, Dictionary props) { - String value = bc.getProperty(key); - if (value != null) - props.put(key, value); + public static String getHttpProxySslHeader() { + return KernelUtils.getFrameworkProp(NodeConstants.HTTP_PROXY_SSL_DN); } - public static NodeState getNodeState() { - return instance.nodeState; + public static IdentClient getIdentClient(String remoteAddr) { + if (!IdentClient.isDefaultAuthdPassphraseFileAvailable()) + return null; + // TODO make passphrase more configurable + return new IdentClient(remoteAddr); + } + + private static NodeUserAdmin getNodeUserAdmin() { + NodeUserAdmin res; + try { + res = instance.userAdminSt.waitForService(60000); + } catch (InterruptedException e) { + throw new IllegalStateException("Cannot retrieve Node user admin", e); + } + if (res == null) + throw new IllegalStateException("No Node user admin found"); + + return res; + // ServiceReference sr = + // instance.bc.getServiceReference(UserAdmin.class); + // NodeUserAdmin userAdmin = (NodeUserAdmin) instance.bc.getService(sr); + // return userAdmin; + + } + + static ExecutorService getInternalExecutorService() { + return instance.internalExecutorService; } + // static CmsSecurity getCmsSecurity() { + // return instance.nodeSecurity; + // } + public String[] getLocales() { // TODO optimize? List locales = getNodeState().getLocales(); @@ -178,4 +281,13 @@ public class Activator implements BundleActivator { return res; } + static BundleContext getBundleContext() { + return bundleContext; + } + + public static void main(String[] args) { + instance = new Activator(); + instance.init(); + } + }